TAMIL SECURING SPRING REST APPLICATION WITH BASIC AUTHENTICATION | InterviewDOT

Basic Authentication is the simplest way to enforce access controling to resources. Here, the HTTP user agent provides the username and the password when making a request. The string containing the username and password separated by a colon is Base64 encoded before sending to the backend when authentication is required.

What is the purpose of BasicAuthenticationPoint ?

Most Spring Tutorials available online teach you how to secure a Rest API with Spring with examples which are far from real application problematics. You surely agree that most tutorials lack real-world use-cases.

This tutorial aims to help you secure a real-world application, not just another Hello World Example.

In this tutorial we’ll learn:

How to secure a Spring MVC Rest API using Spring Security,
Configure Spring Security with Java code (no painful XML),
And delegate authentication to a UserAuthenticationService with your own business logic.

The following Spring security setup works as following:

The user logs in with a POST request containing his username and password,
The server returns a temporary / permanent authentication token,
The user sends the token within each HTTP request via an HTTP header Authorization: Bearer TOKEN.
When the user logs out, the token is cleared on server-side. That’s it!

Now, let’s see different examples with variety of authentications:

Simple Example: authentication based on the UUID of the user,
JWT Example: authentication based on a JWT token.
Let’s now briefly see how the maven modules are organized. Implementing modules only depends on API modules. It’s up to the application module (like example-simple) to tie the implementations together.

Basic authentication has a certain limitation and it might not fit in to all use cases. We will extend this article to see how to implement a token bases security feature with Spring. Let’s look at the workflow for a better understanding:

User send a request with a username and password.
Spring security return token back to client API.
Client API sends token in each request as part of authentication.
Token invalidated on log out.

Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications.

Spring Security is a framework that focuses on providing both authentication and authorization to Java applications. Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements

Spring Security is a Java/Java EE framework that provides authentication, authorization and other security features for enterprise applications. The project was started in late 2003 as 'Acegi Security' (pronounced Ah-see-gee /ɑːsiːdʒiː/, whose letters are the first, third, fifth and seventh characters from the English alphabet, in order to prevent name conflicts[2]) by Ben Alex, with it being publicly released under the Apache License in March 2004. Subsequently, Acegi was incorporated into the Spring portfolio as Spring Security, an official Spring sub-project.

OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and DigitalOcean. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth 2 provides authorization flows for web and desktop applications, and mobile devices.